3. You are bombarded with bogus infiltration alerts, like the following:

I concede the pushers of FakeAV are not actually selling anything and are, in fact, committing extortion. However, from the perspective of the would-be duped purchaser, their socially-engineered buy was elicited by the limited-free-trial-edition cleverness embedded within the desired product. I digress.

Interestingly, the authors recognize the suspicion that can be raised by these aggressive tactics and have attempted to reduce it by associating with a known brand -- Microsoft. The malware sets up a local HTTP proxy on port 5555 and re-routes all traffic for microsoft.com to the rogue's IP space.

In particular, notice the domain in the address bar is indeed 'microsoft.com' so diligent users can be tricked into thinking the page is genuinely from Microsoft. The use of the local HTTP proxy can allow the malware to redirect browser traffic of any domain to rogue IPs of its choosing. Acting as a man-in-the-middle for HTTP traffic, the malware has full control over the web pages seen. As such, this technique could be further abused to associate other illegitimate content, say a fake pharmacy site, to legitimate domains (though at the time of writing, only redirection to microsoft.com was observed).

Yet another reminder that once your system is compromised, you cannot take anything at face value.